3.0 Performing a Single-Server Installation

ZENworks® Endpoint Security Management Single-Server Installation (SSI) allows both the Policy Distribution Service and the Management Service to co-exist on the same server, which is not possible without using this installation option. The server must be deployed inside the firewall for security purposes, requiring users to receive policy updates only when they are inside the corporate infrastructure or connected via a VPN.

Deployment of the Single-Server Installation on a Primary Domain Controller (PDC) is not supported for both security and functionality reasons.

NOTE:It is recommended that the SSI Server be configured (hardened) so as to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment, and so cannot be described in advance. Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage. Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide.

To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs. Reference the articles below:

For security purposes, it is highly recommended that the following default folders be removed from any IIS installation:

IISHelp

IISAdmin

Scripts

Printers

We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com.

Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If in doubt, the Dynamic Web server template is recommended.

Ensure that the following prerequisites are in place prior to beginning the installation:

Ensure access to a supported directory service (eDirectory™ or Active Directory).

For Endpoint Security Client to Single Server server name resolution, validate that the target computers (where the Endpoint Security Client is installed) can ping the SSI server name. If unsuccessful, you must resolve this before continuing with the installation. (Change the SSI server name to FQDN/NETBIOS, change AD to use FQDN/NETBIOS, change DNS configurations, modifying the local host file on the target computers to include the correct MS information, and so forth).

If you are using your own SSL certificates, ensure that the Web service certificate and root CA are loaded on the machine and that server name validated in the previous steps (whether NETBIOS or FQDN) matches the Issued to value for the certificate configured in IIS.

If you are using your own certificates or have already installed the Novell Self Signed Certificate, you can validate SSL as well by trying the following URL from a machine that has the Endpoint Security Client installed: https://SSI_SERVER_NAME/AuthenticationServer/UserService.asmx (where SSI_SERVER_NAME is the server name). This should return valid data (an html page) and not certificate warnings. Any certificate warnings must be resolved before installation, unless you opt to use Novell Self Signed Certificates instead.